Perl Inline Command Execution

Nov 2, 2023 · attack.execution attack.t1059 ·

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

Sigma rule (View on GitHub)

 1title: Perl Inline Command Execution
 2id: f426547a-e0f7-441a-b63e-854ac5bdf54d
 3status: test
 4description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
 5references:
 6    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 7    - https://www.revshells.com/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/01/02
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\perl.exe'
19        - OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
20    selection_cli:
21        CommandLine|contains: ' -e'
22    condition: all of selection_*
23falsepositives:
24    - Unknown
25level: medium

References

Reverse Shell Cheat Sheet

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...

Read More
Online - Reverse Shell Generator

Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.

Read More

Perl Inline Command Execution

Sigma rule (View on GitHub)

References

Reverse Shell Cheat Sheet

Online - Reverse Shell Generator

Related rules